Update your security provider to protect against SSL exploits

Android relies on a security Provider to
provide secure network communications. However, from time to time,
vulnerabilities are found in the default security provider. To protect against
these vulnerabilities, Google Play
services provides a way to automatically update a device's security provider
to protect against known exploits. By calling Google Play services methods, your
app can ensure that it's running on a device that has the latest updates to
protect against known exploits.

For example, a vulnerability was discovered in OpenSSL
(CVE-2014-0224)
that can leave apps open to a "man-in-the-middle" attack that decrypts
secure traffic without either side knowing. With Google Play services version
5.0, a fix is available, but apps must ensure that this fix is installed. By
using the Google Play services methods, your app can ensure that it's running
on a device that's secured against that attack.

If the device's Provider is successfully
updated (or is already up-to-date), the method returns normally.

If the device's Google Play services library is out of date, the method
throws
GooglePlayServicesRepairableException.
The app can then catch this exception and show
the user an appropriate dialog box to update Google Play services.

The
installIfNeededAsync()
method behaves similarly, except that instead of
throwing exceptions, it calls the appropriate callback method to indicate
success or failure.

If installIfNeeded()
needs to install a new Provider, this can take
anywhere from 30-50 milliseconds (on more recent devices) to 350 ms (on older
devices). If the security provider is already up-to-date, the method takes a
negligible amount of time. To avoid affecting user experience:

Call
installIfNeeded()
from background networking threads immediately when the threads are loaded,
instead of waiting for the thread to try to use the network. (There's no harm
in calling the method multiple times, since it returns immediately if the
security provider doesn't need updating.)

If user experience will be affected by the thread blocking--for example,
if the call is from an activity in the UI thread--call the asynchronous
version of the method,
installIfNeededAsync().
(Of course, if you do this, you need to wait for the operation to finish
before you attempt any secure communications. The
ProviderInstaller
calls your listener's onProviderInstalled()
method to signal success.)

Warning: If the
ProviderInstaller
is unable to install an updated Provider,
your device's security provider might be vulnerable to known exploits. Your app
should behave as if all HTTP communication is unencrypted.

Patch synchronously

The simplest way to patch the security provider is to call the synchronous
method installIfNeeded().
This is appropriate if user experience won't be affected by the thread blocking
while it waits for the operation to finish.

For example, here's an implementation of a sync adapter that updates the security provider. Since a sync
adapter runs in the background, it's okay if the thread blocks while waiting
for the security provider to be updated. The sync adapter calls
installIfNeeded() to
update the security provider. If the method returns normally, the sync adapter
knows the security provider is up-to-date. If the method throws an exception,
the sync adapter can take appropriate action (such as prompting the user to
update Google Play services).

Java

/**
* Sample sync adapter using {@link ProviderInstaller}.
*/
public class SyncAdapter extends AbstractThreadedSyncAdapter {
...
// This is called each time a sync is attempted; this is okay, since the
// overhead is negligible if the security provider is up-to-date.
@Override
public void onPerformSync(Account account, Bundle extras, String authority,
ContentProviderClient provider, SyncResult syncResult) {
try {
ProviderInstaller.installIfNeeded(getContext());
} catch (GooglePlayServicesRepairableException e) {
// Indicates that Google Play services is out of date, disabled, etc.
// Prompt the user to install/update/enable Google Play services.
GoogleApiAvailability.getInstance()
.showErrorNotification(context, e.connectionStatusCode)
// Notify the SyncManager that a soft error occurred.
syncResult.stats.numIoExceptions++;
return;
} catch (GooglePlayServicesNotAvailableException e) {
// Indicates a non-recoverable error; the ProviderInstaller is not able
// to install an up-to-date Provider.
// Notify the SyncManager that a hard error occurred.
syncResult.stats.numAuthExceptions++;
return;
}
// If this is reached, you know that the provider was already up-to-date,
// or was successfully updated.
}
}

Patch asynchronously

Updating the security provider can take as much as 350 milliseconds (on
older devices). If you're doing the update on a thread that directly affects
user experience, such as the UI thread, you don't want to make a synchronous
call to update the provider, since that can result in the app or device
freezing until the operation finishes. Instead, you should use the asynchronous
method
installIfNeededAsync().
That method indicates its success or failure by calling callbacks.

For example, here's some code that updates the security provider in an
activity in the UI thread. The activity calls installIfNeededAsync()
to update the provider, and designates itself as the listener to receive success
or failure notifications. If the security provider is up-to-date or is
successfully updated, the activity's
onProviderInstalled()
method is called, and the activity knows communication is secure. If the
provider cannot be updated, the activity's
onProviderInstallFailed()
method is called, and the activity can take appropriate action (such as
prompting the user to update Google Play services).